Overview

Make the alias in AdvancedTlsX509KeyManager dynamic so it can be used with Netty's
OpenSslCachingX509KeyManagerFactory to update key material after reload.

Fixes #12670

Problem

When using SslProvider.OPENSSL, each TLS handshake must encode Java key material into a native
buffer consumed by OpenSSL, which can account for ~8% of server CPU. Netty's
OpenSslCachingX509KeyManagerFactory avoids this by caching the encoded buffer keyed by alias —
but the previous implementation always returned "default", so the factory could never detect
credential rotations and create a new cache entry on cert reload.

Details

• The alias is now set to key-<N> (e.g. key-1, key-2, ...) and incremented on every
  updateIdentityCredentials call, ensuring the same alias always maps to the same key material.
• A new constructor AdvancedTlsX509KeyManager(int revisionWarningThreshold) allows customizing
  the soft warning threshold (default: 1024, matching OpenSslCachingX509KeyManagerFactory's
  default maxCachedEntries). A warning is logged when the counter reaches the threshold, since
  beyond that point new aliases won't be cached and per-handshake encoding overhead resumes. The
  key manager remains fully functional past this threshold.
• All alias methods return null before any credentials are loaded.
• Recommended usage with OpenSSL:

new OpenSslCachingX509KeyManagerFactory(
    new KeyManagerFactoryWrapper(advancedTlsKeyManager))